Description

Horizontal Broken Function Level Authorization (BFLA) is a security vulnerability that occurs when an application fails to properly restrict access to sensitive functions or resources between users of the same privilege level. This allows attackers to perform unauthorized actions or access restricted data belonging to other users with the same access level by manipulating requests to bypass access controls.

Remediation

Implement proper authorization checks for every access to a resource or function: 1. Implement consistent and thorough access control checks for all sensitive functions and resources. 2. Use role-based access control (RBAC) or attribute-based access control (ABAC) systems. 3. Implement the principle of least privilege, granting users only the minimum necessary permissions. 4. Centralize authorization logic to reduce the risk of inconsistent implementations. 5. Conduct regular security audits and penetration testing to identify and address any BFLA vulnerabilities.

References

OWASP API Security Top 10 2023: API5 Broken Function Level Authorization

OWASP Broken Access Control

CWE-639: Authorization Bypass Through User-Controlled Key

Related Vulnerabilities

WordPress Plugin TeraWallet-For WooCommerce Insecure Direct Object Reference (1.4.3)

WordPress Plugin Paid Memberships Pro-Content Restriction, User Registration, & Paid Subscriptions Insecure Direct Object Reference (3.0.4)

ProjectSend Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2017-20101)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7925)

Envoy Proxy Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-45806)

Severity

High

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Bola